rpms-fedora-extras/strongswan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

no longer use patches merged upstream

Browse Source
This commit is contained in:
Paul Wouters
2023-03-02 11:02:38 -05:00
parent 0132cc5668
commit 9d642ad352
3 changed files with 0 additions and 400 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch
View File

@@ -1,48 +0,0 @@
From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 17 Feb 2023 15:07:20 +0100
Subject: [PATCH] libtls: Fix authentication bypass and expired pointer
dereference
`public` is returned, but previously only if a trusted key was found.
We obviously don't want to return untrusted keys. However, since the
reference is released after determining the key type, the returned
object also doesn't have the correct refcount.
So when the returned reference is released after verifying the TLS
signature, the public key object is actually destroyed. The certificate
object then points to an expired pointer, which is dereferenced once it
itself is destroyed after the authentication is complete. Depending on
whether the pointer is valid (i.e. points to memory allocated to the
process) and what was allocated there after the public key was freed,
this could result in a segmentation fault or even code execution.
Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type")
Fixes: CVE-2023-26463
---
src/libtls/tls_server.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index c9c300917dd6..573893f2efb5 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id)
cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
if (cert)
{
- public = cert->get_public_key(cert);
- if (public)
+ current = cert->get_public_key(cert);
+ if (current)
{
- key_type = public->get_type(public);
- public->destroy(public);
+ key_type = current->get_type(current);
+ current->destroy(current);
}
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
key_type, id, peer_auth, TRUE);
--
2.25.1

348
strongswan-5.9.9-man-paths.patch
View File

@@ -1,348 +0,0 @@
From 111cbd3d2ca4385d326db333ee86843ada652663 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 16 Jan 2023 19:38:17 +0100
Subject: [PATCH] Make manual paths follow build configuration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use build-configured paths in manual pages instead of default values.
Makes easier customization to non-default values as done on Fedora for
example.
Squashed commit of the following:
commit e99de2aee9f26e3ab97d88902308107d9f048acd
Merge: 8effb06d6 29e324709
Author: Tobias Brunner <tobias@strongswan.org>
Date: Mon Jan 16 11:41:17 2023 +0100
Merge branch 'man-sysconfdir'
Closes strongswan/strongswan#1511
commit 29e32470974aea614c2486c2982767bd62670063
Author: Tobias Brunner <tobias@strongswan.org>
Date: Mon Jan 16 11:39:29 2023 +0100
swanctl: Don't use hard-coded path to sysconfdir
commit 1c0b14baa3c04606ad9357dfc658d11f0f96ca65
Author: Tobias Brunner <tobias@strongswan.org>
Date: Mon Jan 16 11:37:27 2023 +0100
conf: Add swanctl.conf and swanctl man pages to SEE ALSO
commit 7e43a5f3d28424abfb648b7afd24e25a042efd24
Author: Tobias Brunner <tobias@strongswan.org>
Date: Mon Jan 16 11:35:42 2023 +0100
conf: Replace hard-coded /etc where appropriate
Also document the actual value of ${sysconfdir}.
commit ee046552bb1f3c98d89837d58f7da7d83c8fbb82
Author: Petr Menšík <pemensik@redhat.com>
Date: Sun Jan 15 16:55:45 2023 +0100
man: Use configured path for config files in man pages
commit ab4ed21b5cb28eafbc29b09523b062bee159a0d0
Author: Petr Menšík <pemensik@redhat.com>
Date: Sun Jan 15 16:17:07 2023 +0100
ipsec: Include IPSEC_CONFDIR variable replacement in man page
Fedora has chosena different default directory to avoid conflicts with
libreswan. Use ${sysconfdir} variable to provide the correct location.
---
conf/options/charon.opt | 4 ++--
conf/plugins/unbound.opt | 2 +-
conf/strongswan.conf.5.tail.in | 10 ++++++----
man/ipsec.conf.5.in | 22 +++++++++++-----------
man/ipsec.secrets.5.in | 8 ++++----
src/ipsec/Makefile.am | 1 +
src/ipsec/_ipsec.8.in | 20 ++++++++++----------
src/swanctl/swanctl.conf.5.tail.in | 2 +-
8 files changed, 36 insertions(+), 33 deletions(-)
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 00949222a..72efd17de 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -38,8 +38,8 @@ charon.cert_cache = yes
charon.cache_crls = no
Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
be saved under a unique file name derived from the public key of the
- Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
- **/etc/swanctl/x509crl** (vici), respectively.
+ Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
+ **${sysconfdir}/swanctl/x509crl** (vici), respectively.
charon.check_current_path = no
Whether to use DPD to check if the current path still works after any
diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt
index f8ca9ca12..007797310 100644
--- a/conf/plugins/unbound.opt
+++ b/conf/plugins/unbound.opt
@@ -1,7 +1,7 @@
charon.plugins.unbound.resolv_conf = /etc/resolv.conf
File to read DNS resolver configuration from.
-charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
+charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
File to read DNSSEC trust anchors from (usually root zone KSK).
File to read DNSSEC trust anchors from (usually root zone KSK). The format
diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
index baad476d1..74bbd8eec 100644
--- a/conf/strongswan.conf.5.tail.in
+++ b/conf/strongswan.conf.5.tail.in
@@ -458,6 +458,7 @@ The variables used above are configured as follows:
.na
${piddir} @piddir@
${prefix} @prefix@
+${sysconfdir} @sysconfdir@
${random_device} @random_device@
${urandom_device} @urandom_device@
.ad
@@ -467,18 +468,19 @@ ${urandom_device} @urandom_device@
.
.nf
.na
-/etc/strongswan.conf configuration file
-/etc/strongswan.d/ directory containing included config snippets
-/etc/strongswan.d/charon/ plugin specific config snippets
+@sysconfdir@/strongswan.conf configuration file
+@sysconfdir@/strongswan.d/ directory containing included config snippets
+@sysconfdir@/strongswan.d/charon/ plugin specific config snippets
.ad
.fi
.
.SH SEE ALSO
+\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
.SH HISTORY
Written for the
-.UR http://www.strongswan.org
+.UR https://www.strongswan.org
strongSwan project
.UE
by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index ced12680f..4e256538e 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
.BR leftcert " = <path>"
the path to the left participant's X.509 certificate. The file can be encoded
either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
are accepted. By default
.B leftcert
sets
@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
respectively.
Also accepted is the path to a file containing the public key in PEM, DER or SSH
-encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
+encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
are accepted.
.TP
.BR leftsendcert " = never | no | " ifasked " | always | yes"
@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
.SH "CA SECTIONS"
These are optional sections that can be used to assign special
parameters to a Certification Authority (CA). Because the daemons
-automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
there is no need to explicitly add them with a CA section, unless you
want to assign special parameters (like a CRL) to a CA.
.TP
@@ -1235,7 +1235,7 @@ currently can have either the value
.TP
.BR cacert " = <path>"
defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
.br
A value in the form
.B %smartcard[<slot nr>[@<module>]]:<keyid>
@@ -1284,7 +1284,7 @@ section are:
.BR cachecrls " = yes | " no
if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
be cached in
-.I /etc/ipsec.d/crls/
+.I @sysconfdir@/ipsec.d/crls/
under a unique file name derived from the certification authority's public key.
.TP
.BR charondebug " = <debug list>"
@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
.SH FILES
.nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
+@sysconfdir@/ipsec.conf
+@sysconfdir@/ipsec.d/aacerts
+@sysconfdir@/ipsec.d/acerts
+@sysconfdir@/ipsec.d/cacerts
+@sysconfdir@/ipsec.d/certs
+@sysconfdir@/ipsec.d/crls
.SH SEE ALSO
strongswan.conf(5), ipsec.secrets(5), ipsec(8)
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index 15e36faff..c54e1a18b 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -15,7 +15,7 @@ Here is an example.
.LP
.RS
.nf
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
+# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
: RSA moonKey.pem
@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
.TQ
.B : ECDSA <private key file> [ <passphrase> | %prompt ]
For the private key file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
.B %prompt
can be used which then causes the daemon to ask the user for the password
@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
.TP
.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
For the PKCS#12 file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the container is
+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
.B %prompt
can be used which then causes the daemon to ask the user for the password
@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
.LP
.SH FILES
-/etc/ipsec.secrets
+@sysconfdir@/ipsec.secrets
.SH SEE ALSO
ipsec.conf(5), strongswan.conf(5), ipsec(8)
.br
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
index 0ab9ab27c..656eba49b 100644
--- a/src/ipsec/Makefile.am
+++ b/src/ipsec/Makefile.am
@@ -10,6 +10,7 @@ _ipsec.8 : _ipsec.8.in
-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
-e "s:@IPSEC_DIR@:$(ipsecdir):" \
+ -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
$(srcdir)/$@.in > $@
_ipsec : _ipsec.in
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
index bfc4d50c2..de00d3075 100644
--- a/src/ipsec/_ipsec.8.in
+++ b/src/ipsec/_ipsec.8.in
@@ -145,25 +145,25 @@ locally by the IKE daemon or received via the IKE protocol.
.TP
.BI "listcacerts [" --utc ]
returns a list of X.509 Certification Authority (CA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP
directory or received via the IKE protocol.
.
.TP
.BI "listaacerts [" --utc ]
returns a list of X.509 Authorization Authority (AA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP
directory.
.
.TP
.BI "listocspcerts [" --utc ]
returns a list of X.509 OCSP Signer certificates that were either loaded
-locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
+locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
directory or were sent by an OCSP server.
.
.TP
.BI "listacerts [" --utc ]
returns a list of X.509 Attribute certificates that were loaded locally by
-the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
+the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory.
.
.TP
.BI "listgroups [" --utc ]
@@ -179,7 +179,7 @@ sections in \fIipsec.conf\fP.
.TP
.BI "listcrls [" --utc ]
returns a list of Certificate Revocation Lists (CRLs) that were either loaded
-by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
+by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from
an HTTP- or LDAP-based CRL distribution point.
.
.TP
@@ -211,7 +211,7 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
.TP
.B "rereadcacerts"
removes previously loaded CA certificates, reads all certificate files
-contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list
of Certification Authority (CA) certificates. This does not affect certificates
explicitly defined in a
.BR ipsec.conf (5)
@@ -220,23 +220,23 @@ ca section, which may be separately updated using the \fBupdate\fP command.
.TP
.B "rereadaacerts"
removes previously loaded AA certificates, reads all certificate files
-contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list
of Authorization Authority (AA) certificates.
.
.TP
.B "rereadocspcerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
directory and adds them to the list of OCSP signer certificates.
.
.TP
.B "rereadacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP
+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP
directory and adds them to the list of attribute certificates.
.
.TP
.B "rereadcrls"
reads all Certificate Revocation Lists (CRLs) contained in the
-\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
+\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
.
.TP
.B "rereadall"
diff --git a/src/swanctl/swanctl.conf.5.tail.in b/src/swanctl/swanctl.conf.5.tail.in
index 4d24608da..036443843 100644
--- a/src/swanctl/swanctl.conf.5.tail.in
+++ b/src/swanctl/swanctl.conf.5.tail.in
@@ -2,7 +2,7 @@
.
.nf
.na
-/etc/swanctl/swanctl.conf configuration file
+@sysconfdir@/swanctl/swanctl.conf configuration file
.ad
.fi
.
--
2.39.0

4
strongswan.spec
View File

@@ -28,10 +28,6 @@ Source3: tmpfiles-strongswan.conf
Patch0: strongswan-5.6.0-uintptr_t.patch Patch0: strongswan-5.6.0-uintptr_t.patch
# https://github.com/strongswan/strongswan/issues/1198 # https://github.com/strongswan/strongswan/issues/1198
Patch1: strongswan-5.9.7-error-no-format.patch Patch1: strongswan-5.9.7-error-no-format.patch
# https://github.com/strongswan/strongswan/pull/1511
# https://github.com/strongswan/strongswan/commit/e99de2aee9f26e3ab97d88902308107d9f048acd
Patch2: strongswan-5.9.9-man-paths.patch
Patch3: strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake